Displaying 2 results from an estimated 2 matches for "4721dc1".
2018 Feb 09
3
[PATCH]Add address overflow check
...end)
{
fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
The pointer `c` happened to be greater than `0x80000000` and the sum
overflowed, even though `length` is positive.
Here's the patch code:
*diff --git a/src/speexdec.c b/src/speexdec.c*
*index 4721dc1..18786f1 100644*
*--- a/src/speexdec.c*
*+++ b/src/speexdec.c*
@@ -105,7 +105,7 @@ static void print_comments(char *comments, int length)
end = c+length;
len=readint(c, 0);
c+=4;
- if (len < 0 || c+len>end)
+ if (len < 0 || c+len>end || c+len<c)
{...
2018 Feb 09
0
[PATCH]Add address overflow check
...quot;);
>
> return;
>
> }
>
>
> The pointer `c` happened to be greater than `0x80000000` and the sum
> overflowed, even though `length` is positive.
>
> Here's the patch code:
>
> *diff --git a/src/speexdec.c b/src/speexdec.c*
>
> *index 4721dc1..18786f1 100644*
>
> *--- a/src/speexdec.c*
>
> *+++ b/src/speexdec.c*
>
> @@ -105,7 +105,7 @@static void print_comments(char *comments, int length)
>
> end = c+length;
>
> len=readint(c, 0);
>
> c+=4;
>
> - if (len < 0 || c+len>e...